Error correcting software from the beginning

IT security community comes to a consensus on the most serious coding errors to avoid

By William Jackson

Jan 12, 2009

A coalition of government, academic and private-sector security organizations have announced a list of the top 25 programming errors that are responsible for the majority of security vulnerabilities plaguing applications.

The list, which is availableonline, represents a consensus of the most significant errors on which the IT community should concentrate to improve the security and reliability of software. Developers hope the list will be used by universities in programming curriculum, by vendors and developers as a standard for proper coding, and as a specification when acquiring software.

The initiative was managed by the Sans Institute and Mitre Corp., with support from the National Security Agency and the Homeland Security Department’s National Cyber Security Division.

Konrad Vesey of NSA’s Information Assurance Directorate said the list will help shift software security away from a reactive posture by system administrators, and make it more proactive by putting more responsibility with software developers.

"When consumers see that most vulnerabilities are caused by a mere twenty-five weaknesses, a new standard for due diligence in product development is likely to emerge,” Vesey said. “The vocabulary of software security is expanded from what the vendor tested against to what the vendor built in."

Contributors to the program include major software and security companies, along with universities, independent organizations and individuals, as well as U.S. and foreign government agencies.

The errors included in the list are not newly discovered; they are drawn from the Common Weakness Enumeration database, a standardized listing of more than 700 recognized programming weaknesses that is maintained by Mitre with support from DHS.

A weakness is an error or condition in software code that, under certain circumstances, can create a vulnerability that can be exploited maliciously. Automated tools exist to look for many of these weaknesses, but finding and eliminating them is not a simple task.

“No tool can correctly determine in every conceivable case whether or not a piece of code has a vulnerability,” the National Institute of Standards and Technology wrote in Special Publication 500-268 when it developed specifications for source code analysis tools. “A weakness may result in a vulnerability in one environment, but not in another.” There also are mathematical and practical limits to the ability of algorithms to detect weaknesses in software, and not all weaknesses result in vulnerabilities.

NIST specified a list of 21 source-code weaknesses from the CWE database that source code analysis tools should be able to identify. There is little overlap between that list and the top 25 list released today by Sans and Mitre. Only three weaknesses appear on both lists.

Developers of the list, which will be updated regularly, expect that it will be used as a standard for evaluating coding and software development. Customers could use it as a specification in acquiring software from vendors, requiring that the software be certified free of the errors; testing and analysis tools used by programmers and customers could be designed to focus on the errors; colleges could teach against them in programming courses, and employers could require an understanding of them by their programmers and application developers.

The top 25 errors fall into three categories: Insecure interaction between components, with nine errors; risky resource management, also with nine errors; and porous defenses, with seven errors. Full details of the weaknesses are available online from Sans and Mitre. Those included in the list, along with their CWE identification, are: